Hi guys,
I'm using Change of Authorization (CoA) Re-authenticate Cisco:cisco-av-pair=subscriber:command=reauthenticate,
it works fine on pap and chap, but can't become online again on eap-md5, peap, ttls,tls.
The traffic capture file contain the sucessful process and the failed ones. In the failed process the coa is all successful but then the ISE rejects the switch.
And on the ise log page,
the first error shows
| Event | 5440 Endpoint abandoned EAP session and started new |
| Failure Reason | 5440 Endpoint abandoned EAP session and started new |
| Resolution | Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration. |
| Root cause | Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication. |
Endpoint started new authentication while previous is still in progress.----------i don't how ISE know which is new and which is previous authentication.
And the second error shows
| Event | 5400 Authentication failed |
| Failure Reason | 11051 RADIUS packet contains invalid state attribute |
| Resolution | Do the the following: Check the network device or AAA Client for hardware problems or known RADIUS compatibility issues ; Check the network that connects the device to ISE for hardware problems. |
| Root cause | The state attribute in the RADIUS packet did not match any active session. |
About the known RADIUS compatibility issues, i'm using h3c switch actually, i don't know how this compatibility issues happens.
About the 11051 RADIUS packet contains invalid state attribute and The state attribute in the RADIUS packet did not match any active session. i have looked into the network traffic capture, i have to admin the state is not the same before and after the coa, but maybe it's because the ise sends the new state id to switch.
And i have tried in another environment with wireless device, the state attribute is also not the same before and after the coa, but successful, collected file in wireless sucessful coa reauth.zip
The other file and snapshots are collected on ise 2.4.0.357 patch 8, i have also tried on ise 3.1, the errors are the same.
So how should switch repond to make the process sucessful or what configuration i can do on ISE.
Thank you in advance!!
Hi, thank you for your reply.
Do you know why the CoA is being triggered? Is it because of ISE profiling?
i manually trigger it in Live Sessions while capture the network traffic and logs. When profiling or posture trigger the coa, the results are the same.
have you run a debug on the switch during and after the CoA, to see what the switch does ?
the switch shows logs like Device DOT1X/7/EVENT: User failed to come online (UserMAC=000c-2944-2de5, VLANID=2, Interface=GigabitEthernet1/0/3). Reason: The RADIUS server rejected the authentication request。
I had a look at what the HPE switch supports, and it does not support Re-Auth
you mean in ise default Network Access Device Profiles, the hp wired do not has coa Re-authenticate enabled?
actually i replicate a Network Access Device Profile and input h3c-av-pair or cisco-av-pair equls subscriber:command=reauthenticate.
My confusion is why it works in pap or chap, but not working in eap.
thanks.
